Adaptive Deterrence of DNS Cache Poisoning

Sze Yiu Chau; Omar Chowdhury; Victor Gonsalves; Huangyi Ge; Weining Yang; Sonia Fahmy; Ninghui Li

doi:10.1007/978-3-030-01704-0_10

Back

Book chapter

Adaptive Deterrence of DNS Cache Poisoning

Sze Yiu Chau, Omar Chowdhury, Victor Gonsalves, Huangyi Ge, Weining Yang, Sonia Fahmy and Ninghui Li

Security and Privacy in Communication Networks, pp.171-191

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Springer International Publishing

12/29/2018

DOI: 10.1007/978-3-030-01704-0_10

View Online

Abstract

Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.

Details

Title: Subtitle: Adaptive Deterrence of DNS Cache Poisoning
Creators: Sze Yiu Chau - Purdue University West Lafayette
Omar Chowdhury - University of Iowa
Victor Gonsalves - Purdue University West Lafayette
Huangyi Ge - Purdue University West Lafayette
Weining Yang - Google
Sonia Fahmy - Purdue University West Lafayette
Ninghui Li - Purdue University West Lafayette
Resource Type: Book chapter
Publication Details: Security and Privacy in Communication Networks, pp.171-191
Publisher: Springer International Publishing; Cham
Series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
DOI: 10.1007/978-3-030-01704-0_10
eISSN: 1867-822X
ISSN: 1867-8211
Language: English
Date published: 12/29/2018
Academic Unit: Computer Science
Record Identifier: 9984259405302771

Metrics

29 Record Views

2 Times Cited - Web of Science